2nd Exploit for DNS Cache Poisoning - RELEASED

Tuc at T-B-O-H.NET ml at t-b-o-h.net
Thu Jul 24 17:54:23 UTC 2008


Hi,

	Not sure if anyone has seen yet, but there is a 2nd
exploit being circulated. I just picked it up on metasploits
SVN trunk....

	The first was called "baliwicked_host", and the
description was :

This exploit attacks a fairly ubiquitous flaw in DNS implementations which 
Dan Kaminsky found and disclosed ~Jul 2008.  This exploit caches a single
malicious host entry into the target nameserver by sending random hostname
queries to the target DNS server coupled with spoofed replies to those
queries from the authoritative nameservers for that domain. Eventually, a 
guessed ID will match, the spoofed packet will get accepted, and due to the 
additional hostname entry being within bailiwick constraints of the original
request the malicious host entry will get cached.

	The new one is called "baliwicked_domain" and its described
as :

This exploit attacks a fairly ubiquitous flaw in DNS implementations which 
Dan Kaminsky found and disclosed ~Jul 2008.  This exploit replaces the target
domains nameserver entries in a vulnerable DNS cache server. This attack works
by sending random hostname queries to the target DNS server coupled with spoofed
replies to those queries from the authoritative nameservers for that domain.
Eventually, a guessed ID will match, the spoofed packet will get accepted, and
the nameserver entries for the target domain will be replaced by the server
specified in the NEWDNS option of this exploit.



				Tuc/TBOH




More information about the NANOG mailing list